WooYun.org

Visual Studio Code Version 0.10.6存在DLL和EXE劫持漏洞。当使用Code打开文件（比如test.md）时，当前目录（current directory）为test.md所在目录。
Code在启动时尝试运行REG.exe（reg query HKLM\Software\Microsoft\SQMClient /v MachineId），而且没有指定全路径，导致REG.exe可以从当前目录加载[1]。如果攻击者把test.md和reg.exe一起发给用户（比如做成压缩包），那么当用户打开test.md时，reg.exe也会执行。
另外Code还加载了一些不存在的DLL：CSUNSAPI.dll, swift.dll, nfhwcrhk.dll, SureWareHook.dll, aep.dll, atasi.dll, nuronssl.dll, ubsec.dll。这些DLL不存在于应用目录以及系统目录，这导致它们一样可以从当前目录加载。
下载地址：https://**.**.**.**/Docs/?dv=win
[1] 加载exe和加载dll的寻找顺序不一样。加载exe的顺序是：应用目录>当前目录>系统目录>PATH，加载dll的默认顺序是：应用目录>系统目录>当前目录>PATH。这导致即使系统目录中存在该exe，仍可以劫持该exe。
https://**.**.**.**/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
https://**.**.**.**/en-us/library/windows/desktop/ff919712(v=vs.85).aspx
英文版：
Visual Studio Code Version 0.10.6 is vulnerable to DLL and EXE planting attacks.
Product: Visual Studio Code
Version: 0.10.6
Download URL: https://**.**.**.**/Docs/?dv=win
Type of vulnerability: Remote Code Execution
Detail:
VS Code doesn't set its current directory to the application directory. So, when a file (taking test.md as an example) is opened with Code, the current directory is where test.md resides. During initialization, Code launches reg.exe without specifying the full path (reg query HKLM\Software\Microsoft\SQMClient /v MachineId), so reg.exe can be loaded from the current directory, which can be controlled by an attacker if he distributes a zip file containing test.md and a malicious reg.exe.
Also Code loads CSUNSAPI.dll, swift.dll, nfhwcrhk.dll, SureWareHook.dll, aep.dll, atasi.dll, nuronssl.dll, ubsec.dll. These DLLs exist neither in the application directory nor in the system directories. So they can be loaded from the current directory as well.
To fix this vulnerability, set the current directory to the application directory. Alternatively, specify the full path of reg.exe (or use Registry APIs to query values) and call SetDllDirectory("").